In recent years, organizations such as large global business enterprises, governmental agencies, political organizations, and even small companies have suffered from data breaches as the world fundamentally relies more and more upon computer systems. Data breaches typically result in the loss and/or disclosure of sensitive, confidential data such as financial, strategic, and/or personal information. Such confidential information could, if it fell into the wrong hands, have significant repercussions for the organization and people associated with the organization.
Data breaches can be persistent over an amount of time, or occur only at a point in time. For example, an insider may perform a data breach by acquiring small amounts of sensitive information over a relatively long amount of time—e.g., days, weeks, months, or even years. Alternatively, data breaches may occur over a comparatively brief amount of time, such as when an attacker quickly acquires (e.g., downloads or copies) a large amount of information from the organization, which can range from fractions of a second to minutes or longer.
While many organizations are working to improve their computer and network security, much of the focus tends to be placed on preventing direct threats that come from outside an organization, while detecting threats from within the organization is often neglected. However, it appears that many significant data breaches have ultimately been an “inside job.” Insiders—be they employees, contractors, business associates, or partners—may pose the biggest risk to enterprise data because they have trusted access to sensitive data, and may have inside information concerning the organization's security practices and computer systems.
Such “threats from within” can be categorized into three categories—threats due to malice, negligence, or compromise.
For example, malicious insiders are trusted insiders that intentionally steal data for their own purpose. Edward Snowden and Chelsea Manning are recent high-profile examples.
Edward Snowden, who was a United States (U.S.) National Security Agency (NSA) Contractor and System Administrator that acquired approximately four terabytes (TB) of data from the NSA using four laptop computers. Per the NSA, this data allegedly included approximately 1.7 million classified documents, and was the most damaging (known) data breach to ever impact the U.S. Intelligence Community.
Another example of a massive data breach by a malicious insider was from Chelsea Manning (born Bradley Manning), who worked as an intelligence analyst for the U.S. Army and acquired and disclosed approximately three-quarters of a million classified or unclassified but sensitive military and diplomatic documents via the WikiLeaks website.
One more example is the Anat Kamm-Uri Blau affair from 2007. In this breach, former Israeli soldier Anat Kamm, while working as an assistant in the Central Command bureau of the Israel Defense Forces (IDF), secretly copied thousands of classified and/or confidential documents and leaked this information to the Israeli Haaretz journalist Uri Blau.
Careless and negligent insiders are another type of insider threat. These are people within or directly associated with an organization that do not have malicious intent, yet they expose sensitive enterprise data due to careless behavior—usually by trying to cut corners or simplifying their daily chores.
Another type of insider threat relates to compromised insiders that allow “external” threats (e.g., cybercriminals or nation-states) to act with the same level of freedom as the trusted insider itself. This occurs because once an insider is compromised—usually via credential compromise or malware—it is in fact the insider that is directly accessing sensitive data. The Sony breach is a classic example of a breach resulting from insider compromise.
The Sony data breach, which was discovered in November 2014, likely had been ongoing for over a year. In this attack, the attackers claimed to have taken over 100 terabytes of data from Sony Pictures Entertainment. Sony later acknowledged that the hackers not only erased data from its systems, but also stole and subsequently released to the public pre-release movies, private communications, and sensitive documents such as salary schedules and social security numbers.
One common way that organizations have attempted to prevent these types of data breaches is to implement file access controls to enforce permissions for accessing files. Typically, such file access control enforcement schemes involve configuring rules that limit which files (or groups of files, storage locations, etc.) may or may not be accessed by specific users.
However, this approach of implementing and enforcing permissions for granting access to files has effectively been a failure. First, it is obvious that many large-scale data breaches continue to occur despite the existence and use of file access control systems. Moreover, as the numbers of users, files, and data in organizations continue to grow, it becomes exponentially more difficult for organizations to manage a “matrix” of user-to-file access permission configuration data. Further, implementing such file access controls can make collaboration between users within the organization very difficult, as the permissions for files may need to be modified very frequently to allow for the different types of permissible accesses by different users at different times.